Tuesday, 26 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 26, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 148 unique attackers ⚡ 33,112 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s activity was characterized by a high volume of connections and login attempts to our SSH honeypot. Despite the critical severity rating, the event level is considered low due to the minimal number of commands executed and unique IPs involved. This suggests that while there was significant traffic generated, it did not lead to any substantial exploitation or malicious activities.

Geographic Analysis

Geographically speaking, this attack originated from a diverse set of locations across Europe and Asia. The United States remains the most active region with a total of 21 attacks reported. France and China also contributed significantly with their respective counts. Other notable countries include Germany, Romania, Belgium, Netherlands, Vietnam, Russia Federation, and some unknown IPs.

SSH Brute Force Analysis

The primary focus on SSH brute force attempts highlights the necessity for continuous vigilance against potential unauthorized access. The attackers were trying common passwords like ‘admin’, ‘1234’, ‘123456’, ‘ubuntu’, and ‘P’. This indicates that users may not be changing their passwords regularly, or perhaps they are using weak passwords in general.

Post-Exploitation Behavior

Upon successful login and gaining access through TTY sessions, the attackers’ activities were primarily confined to scanning known HTTP paths. They particularly targeted ‘/favicon.ico’, ‘/.well-known/traffic-advice’, ‘/wiki’, ‘/robots.txt’, and ’/’ (the root). This suggests a preliminary scan of web-based vulnerabilities.

Web Scanner Activity

There was no evidence of any malicious activity through the HTTP LLM honeypot. The observed requests were standard HTTP traffic, indicating that users are using legitimate web applications without exploiting them.

Malware Captures

No malware samples were downloaded by attackers via SSH today. This is a significant positive outcome as it suggests that our monitoring system is effective in detecting and thwarting potential threats before they can cause harm.

SSH Tarpit (Endlessh)

The tarpit mechanism was inactive, indicating no attempts to slow down or trap attackers. The low number of unique IPs accessing the honeypot further supports this observation, suggesting a high level of vigilance on our part.

Canarytoken Alerts

Five-seven canarytoken alerts were triggered during today’s activity. These fake AWS keys/SSH keys used by attackers are indicative of an ongoing effort to test or probe our system for vulnerabilities. This underscores the importance of maintaining robust defense mechanisms against such threats.

Community Defense

All reported IPs have been shared with relevant security organizations, ensuring comprehensive defense and quick response in case of any future incidents.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →